[Users] That won't work.
Jeremy Nicoll
jn.ml.clwm.729 at letterboxes.org
Tue Oct 13 18:39:12 CEST 2020
On Tue, 13 Oct 2020, at 15:25, Jeremy Nicoll wrote:
> Claws could at least aprtially protect users by having an encoded
> version of the parm, eg "%encto" available for use in this situation.
>
> Then rather than plugging eg
>
> You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"
>
> into the command string, Claws could insert instead
> 596F75203C6C656...
There's a refinement needed in the general case, if several parms
are to be passed and any can be empty, which is to prefix or
suffix each hex string with something so that even if the hex part
is completely empty the script sees a placeholder. So if eg one
was passing three vars one might insert
p1=hex1 p2=hex2 p3=hex3
or just
p=hex1 p=hex2 p=hex3
(ie no need to number them). Then if hex2 was empty, the string
would be
p=hex1 p= p=hex3
--
Jeremy Nicoll - my opinions are my own.
More information about the Users
mailing list